Veterans Angered by File Scandal
Wednesday, May 24, 2006
Veterans brimmed with shock and anger yesterday at the loss of their personal data by the Department of Veterans Affairs, but in many ways the information security breach should not have come as a surprise.
The department has consistently ranked near the bottom among federal agencies in an annual congressional scorecard of computer security. For five years, the VA inspector general has identified information security as a material weakness and faulted officials for slow progress in tackling the problem.
As many as 26.5 million veterans were put at risk of identity theft May 3 when an intruder stole an electronic data file from the Aspen Hill home of a VA data analyst, who was not authorized to remove the data from his office. The electronic file contained names, birth dates and Social Security numbers of veterans discharged since 1975, as well as veterans who were discharged earlier and filed for VA benefits.
VA officials waited two weeks to call in the FBI to investigate the theft, the Associated Press reported, citing two law enforcement sources.
"To the best of my knowledge, the loss of 26 million records by VA is the largest by a federal agency to date," said Rep. Thomas M. Davis III (R-Va.), chairman of the House Government Reform Committee. "Perhaps if the department improved its compliance with the existing information protection laws, this breach would not have happened. There seem to be two problems here: a department that's inadequately protected, and an employee who acted incredibly irresponsibly."
In 2005, Veterans Affairs earned an F on the annual federal computer security report card compiled by Davis's committee, the same grade it has received every year but one since the scorecard began in 2001. (It got a C in 2003.) The government-wide average for 2005 was a D-plus, but there were wide variations -- the Social Security Administration got an A-plus, while the departments of Defense and Homeland Security earned F's.
The report card measures compliance with the 2002 Federal Information Security Management Act, which requires agencies to test their systems, develop cyber-security plans and report on their progress.
"We continue to get a number of wake-up calls from these breaches that shows that we still have a ways to go before we have a truly robust information security posture nationally," said Greg Garcia, vice president for information security at the trade group Information Technology Association of America.
Veterans groups reported mounting anger and frustration.
Steve Kennebeck, 46, an Army sergeant who retired from the military in 1997 after 20 years, said he called a special VA toll-free number but was unable to learn whether he was among affected veterans. His father and two brothers, veterans all, are wondering, too.
"We've probably all been compromised," said Kennebeck, who lives in Washington. "I'm angry. . . . If we had done something like that in the military, we'd be punished by courts-martial. We protect America, and do they protect our personal information? No. It's galling. Somebody's head should roll."
VA officials did not return two telephone calls seeking comment yesterday. VA Secretary Jim Nicholson said Monday that the employee has been placed on administrative leave pending investigations by the FBI, the VA inspector general and local police. Nicholson said he has directed all VA employees to complete a computer security training course by the end of June.
Advocates called on the federal government to, at a minimum, pay to help veterans increase monitoring of their credit. "The VFW feels strongly that the government must accept responsibility for any consequences of this inexcusable breach of trust with America's veteran community," Robert E. Wallace, executive director of Veterans of Foreign Wars, wrote Sen. Larry E. Craig (R-Idaho), chairman of the Veterans Affairs Committee. Craig has indicated he will hold hearings. The House Veterans Affairs Committee has scheduled a hearing for 9 a.m. tomorrow.
The Veterans Affairs Department provides millions of veterans with health care, home loans, disability compensation and a burial plot. In doing so, it collects Social Security numbers, service histories and medical records.
But the sprawling bureaucracy, with 220,000 employees nationwide, has not always been the best steward of sensitive data. In more than a dozen reports, audits and reviews since 2001, the VA inspector general has repeatedly cited the department for security problems in the handling of personal information.
In 2003, tests by IG staff showed that a hacker could gain access to veterans' protected medical information from outside the VA network.
In 2005, reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices. Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers' access to sensitive information and providing annual security awareness training for employees.
In a report last November, acting Inspector General Jon A. Wooditch wrote that many of the security concerns the IG had reported on for years remained unresolved. He cited a March 2005 report, saying 16 recommendations still had not been implemented eight months later.
"We identified significant information security vulnerabilities that place VA at considerable risk of . . . disruption of mission-critical systems, fraudulent benefits payments, fraudulent receipt of health care benefits, unauthorized access to sensitive data and improper disclosure of sensitive data," he wrote. "The magnitude of these risks is impeding VA from carrying out its mission of providing health care and delivering benefits to our nation's veterans."